PIX to PIX VPN with dynDNS

Discussion in 'Cisco' started by Ivan Ostres, Jul 15, 2004.

  1. Ivan Ostres

    Ivan Ostres Guest

    Hi all,

    I have a very specific situation. I have a user with two sites connected
    to internet using ADSL (in Europe). He doesn't have a static address on
    any site. He would like site-to-site VPN (yes, cheap) so we are
    considering using PIX 501 on every location and using dyndns service.

    The thing is that addresses are changing every 48 hours.

    I'm avare that this could work if one address is static and other is
    dynamic or both are static, but don't know if it will work if both are
    dynamic.

    Can I use FQDN in configuration instead of IP address for VPN parameters
    on PIX? If not pix, small router would be good too. Anyone tried that?
    If Cisco couldn't do that, is there any other solution that would work?

    Please help.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostres, Jul 15, 2004
    #1
    1. Advertising

  2. * Ivan Ostres wrote:
    > I have a very specific situation. I have a user with two sites connected
    > to internet using ADSL (in Europe). He doesn't have a static address on
    > any site. He would like site-to-site VPN (yes, cheap) so we are
    > considering using PIX 501 on every location and using dyndns service.
    >
    > The thing is that addresses are changing every 48 hours.


    You get what you pay for.
    Bad luck.

    > Can I use FQDN in configuration instead of IP address for VPN parameters
    > on PIX?


    You can, but the PIX will lookup the name only once (IIRC).

    > If Cisco couldn't do that, is there any other solution that would work?


    You get one cheap product, so go out and by another cheap router. Of course,
    they lack several features, but they can deal with dyndns (cheap!) or X.31
    calls over ISDN (cheap!).

    You might have a look at Bintec.
     
    Lutz Donnerhacke, Jul 15, 2004
    #2
    1. Advertising

  3. Ivan Ostres

    Jens Haase Guest

    "Lutz Donnerhacke" wrote
    > * Ivan Ostres wrote:
    > > I have a very specific situation. I have a user with two sites connected
    > > to internet using ADSL (in Europe). He doesn't have a static address on
    > > any site. He would like site-to-site VPN (yes, cheap) so we are
    > > considering using PIX 501 on every location and using dyndns service.
    > >
    > > The thing is that addresses are changing every 48 hours.

    >
    > You get what you pay for.
    > Bad luck.
    >
    > > Can I use FQDN in configuration instead of IP address for VPN parameters
    > > on PIX?

    >
    > You can, but the PIX will lookup the name only once (IIRC).
    >


    No, the Pix will never lookup any name, the IOS Router does once and then
    saves the IP address to the config!
    You can't even configure a nameserver in PIX!


    > > If Cisco couldn't do that, is there any other solution that would work?

    >
    > You get one cheap product, so go out and by another cheap router. Of

    course,
    > they lack several features, but they can deal with dyndns (cheap!) or X.31
    > calls over ISDN (cheap!).
    >
    > You might have a look at Bintec.


    There is another option, if you know Perl, there is a module called
    "net::telnet::cisco".
    With this module you can write a Script, that checks, if the address of the
    oposite site changes and if so, changes the crypto map and ISAKMP parameters
    on PIX.
    I already dit it with IOS Routers and it works pretty stable for about two
    years now.


    Jens
     
    Jens Haase, Jul 15, 2004
    #3
  4. Ivan Ostres

    Ivan Ostres Guest

    In article <-jena.de>,
    says...
    > * Ivan Ostres wrote:
    > > I have a very specific situation. I have a user with two sites connected
    > > to internet using ADSL (in Europe). He doesn't have a static address on
    > > any site. He would like site-to-site VPN (yes, cheap) so we are
    > > considering using PIX 501 on every location and using dyndns service.
    > >
    > > The thing is that addresses are changing every 48 hours.

    >
    > You get what you pay for.
    > Bad luck.
    >


    Actually it's a customer's problem. He was cheap. (I was consulting on
    datacenter and he came up with this question... "..by the way, can we
    use....")

    > You get one cheap product, so go out and by another cheap router. Of course,
    > they lack several features, but they can deal with dyndns (cheap!) or X.31
    > calls over ISDN (cheap!).
    >
    > You might have a look at Bintec.
    >


    Thanks a bunch, I will take a look at Bintec.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostres, Jul 15, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remien, Carsten

    DynDNS Update

    Remien, Carsten, Oct 2, 2004, in forum: Cisco
    Replies:
    7
    Views:
    8,341
    Remien, Carsten
    Oct 3, 2004
  2. Replies:
    4
    Views:
    5,797
    nwc3po
    Aug 24, 2005
  3. Igor Mamuzic

    DynDNS or not to DynDNS doubt

    Igor Mamuzic, Nov 16, 2005, in forum: Cisco
    Replies:
    4
    Views:
    1,603
    Config T
    Nov 23, 2005
  4. The Other Mike

    VPN 3005 and dyndns?

    The Other Mike, Nov 19, 2007, in forum: Cisco
    Replies:
    0
    Views:
    353
    The Other Mike
    Nov 19, 2007
  5. SS
    Replies:
    2
    Views:
    1,431
Loading...

Share This Page